This article was updated on April 24, 2024, to reflect the current status of the AMAPI beta.
At VMware Explore, we took a deep dive into the next evolution in Android device management: Android Management API (AMAPI). Now, we’re excited to announce that the beta for AMAPI is live! Today, the beta supports management of devices in Work Profile mode, which is used to manage personally owned devices (BYOD), as well as limited support for Corporate Owned Personally Enabled (COPE) mode.
What is AMAPI?
AMAPI is a new approach to Android device management in the enterprise. AMAPI is part of Android’s DNA — it is native to the Android OS and is developed by Google. This unlocks capabilities that are not possible in our current approach to Android Enterprise, called Custom Device Policy Controller (DPC). An example of an AMAPI-only feature is the recently introduced Lost Mode for Corporate Owned Personally Enabled (COPE) devices. Here are three benefits of AMAPI:
Simple: Workspace ONE Unified Endpoint Management (UEM) builds the desired state of the device and transmits it to AMAPI, which AMAPI applies to the device. This simplifies the process of supporting new Android features within the Workspace ONE UEM console.
Native: AMAPI is part of the Android DNA and is updated and maintained by Google. Therefore, device management best practices are built into AMAPI by Google, and it is a common stack used throughout the Android ecosystem.
Powerful: AMAPI takes additional steps to ensure that policies are enforced on devices. For example, AMAPI can enforce minimum passcode complexity requirements on personally owned devices.
How is AMAPI different from Custom DPC?
Today, Workspace ONE UEM uses an approach to Android Enterprise called Custom DPC. With Custom DPC, Workspace ONE UEM distributes policies, internal apps, and more to Workspace ONE Intelligent Hub, which acts as the primary management application of the device or Work Profile. Intelligent Hub applies these resources to the device and returns device information to Workspace ONE UEM.
Public apps are applications published in the Managed Google Play Store. To distribute public apps, Workspace ONE UEM leverages the Google Play EMM API to distribute public apps to devices through the managed Google Play Store.
Now, let’s go over AMAPI. With AMAPI, Workspace ONE UEM transmits the device’s desired state to AMAPI. In a similar manner to Custom DPC, this includes what public apps AMAPI should install on the device. Workspace ONE also transmits which management policies — passcode requirements, certificates, app permission settings — to AMAPI. In turn, AMAPI pushes policies to the Android Device Policy (ADP) client, which applies them to the device. In AMAPI, it is ADP, a native component of Android, that serves as the primary management application on the device. ADP runs on all Android devices with GMS on Android 5.1+. Note that Workspace ONE UEM defines its minimum supported OS versions here.
Aside from applying management policies, ADP also transmits device state information to AMAPI, which in turn transmits this to Workspace ONE UEM through Google Pub/Sub.
Workspace ONE Intelligent Hub remains vital to device management. It handles distribution of certificates and internal apps, and it enables unique features like product provisioning and Freestyle Orchestrator. Intelligent Hub is also more than just a management client. It hosts our unified application catalog, Mobile Threat Defense SDK, integrations with Intelligence for advanced analytics, and much more. This is why Intelligent Hub is present in all devices we manage using AMAPI.
What are the IT admin and end-user experiences like for AMAPI?
AMAPI introduces several admin and device end-user experience changes.
As an administrator, you will see two major updates in the Workspace ONE UEM Console:
When creating Android Profiles, you will now choose whether to create profiles for Custom DPC or AMAPI.
You can now choose whether new devices enrolling into Workspace ONE UEM will be managed using Custom DPC or AMAPI. This can be set by mode (Work Profile, COPE, or Fully Managed) and by Organization Group.
As a device end user:
In addition to initiating enrollment through Intelligent Hub, you can now initiate enrollment of your personally owned devices by launching an AMAPI Enrollment URL. This Enrollment URL is shared by the UEM administrator and can be distributed through a QR code, text, email, internal site, or other means.
When you set a policy that requires end-user interaction, AMAPI will take actions to ensure the policy requirements are met. For example, when you set minimum device passcode requirements via Profiles, AMAPI will suspend managed applications until the device passcode meets the policy requirements. AMAPI also guides the end user to set a passcode that is compliant with the policy.
How and when should I adopt AMAPI?
AMAPI represents the future of Android device management and has introduced many benefits, including unique features. We encourage organizations to familiarize themselves with AMAPI and adopt it as appropriate for their unique use cases.
Whether a device is managed using Custom DPC or AMAPI will initially need to be decided at the time of enrolling a device. Organizations will be able to take a cap-and-grow approach in adopting AMAPI. Without impacting enrolled devices managed with Custom DPC, organizations can configure Workspace ONE UEM to use AMAPI for new device enrollments. Organizations can enable AMAPI for new enrollments for specific management modes (Work Profile, COPE, or Fully Managed) as well as for organization-specific groups only.
We are excited to share that our roadmap includes supporting migration of devices from Custom DPC to AMAPI without requiring re-enrollment. This migration will be supported for all modes in the future — Work Profile, COPE, and Fully Managed.
AMAPI beta and beyond
The AMAPI beta is live today! Today, the beta supports management of devices in Work Profile mode, which is used to manage personally owned devices (BYOD), as well as limited support for Corporate Owned Personally Enabled (COPE) mode. As the beta continues, we will add more functionality for both management modes and introduce support for Fully Managed mode using AMAPI. For more information regarding the different Android Enterprise management modes, please see the “Operational Tutorial for Managing Android Devices.”
Similarly, support for Work Profile mode in AMAPI will be available in production environments first, followed by COPE and then Fully Managed modes.
Sign up for the AMAPI beta on our VMware Anywhere Workspace Early Access™ Program portal here. You can find testing guides and other resources for AMAPI under the Android Intelligent Hub project.
We look forward to your testing and feedback. Note that only the first wave of features has been released in our beta, and more will be added as the beta continues. Stay tuned for more updates!